Analysis
-
max time kernel
147s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 02:16
Behavioral task
behavioral1
Sample
4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
Resource
win10v2004-20241007-en
General
-
Target
4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe
-
Size
36.6MB
-
MD5
19773de3aada9bebac1c8a284059e0a5
-
SHA1
482dcb8326ab158a0b054516cede9d80119dca7b
-
SHA256
4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217
-
SHA512
829ee42d011ca1064a272fc626540b5ddf115d1e59e8e107b185def9ced215b96ce3018c7ff4a8a6c30893e313c64e1df58e7771e1d2f868fcfa61c7ecd56346
-
SSDEEP
786432:w5iyxGxoo4kxSjEN0CgFjaj2G8NkzJD4pSbN+WYbO7fqffK:w01xoLvCgxayG8NkzJDaSbN+WY8qffK
Malware Config
Signatures
-
AxBanker
AxBanker is an Android banking trojan that targets bank customers information distributed through fake bank applications.
-
Axbanker family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BtlhzpOVFhG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BtlhzpOVFhG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BtlhzpOVFhG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BtlhzpOVFhG.exe -
Executes dropped EXE 2 IoCs
pid Process 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 408 BtlhzpOVFhG.exe -
resource yara_rule behavioral2/memory/4804-13-0x0000000000270000-0x0000000003772000-memory.dmp themida behavioral2/memory/4804-14-0x0000000000270000-0x0000000003772000-memory.dmp themida behavioral2/memory/4804-36-0x0000000000270000-0x0000000003772000-memory.dmp themida behavioral2/files/0x0007000000023cb2-37.dat themida behavioral2/memory/1912-43-0x0000000000290000-0x00000000039EA000-memory.dmp themida behavioral2/memory/1912-44-0x0000000000290000-0x00000000039EA000-memory.dmp themida behavioral2/files/0x0003000000000711-48.dat themida behavioral2/memory/408-54-0x00000000009F0000-0x00000000042A2000-memory.dmp themida behavioral2/memory/408-55-0x00000000009F0000-0x00000000042A2000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BtlhzpOVFhG.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 408 BtlhzpOVFhG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BtlhzpOVFhG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 1336 netsh.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 408 BtlhzpOVFhG.exe 408 BtlhzpOVFhG.exe 408 BtlhzpOVFhG.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Token: SeDebugPrivilege 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe Token: SeDebugPrivilege 408 BtlhzpOVFhG.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 408 BtlhzpOVFhG.exe 408 BtlhzpOVFhG.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4804 wrote to memory of 4144 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 82 PID 4804 wrote to memory of 4144 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 82 PID 4804 wrote to memory of 3684 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 91 PID 4804 wrote to memory of 3684 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 91 PID 4804 wrote to memory of 3684 4804 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 91 PID 3684 wrote to memory of 1568 3684 cmd.exe 93 PID 3684 wrote to memory of 1568 3684 cmd.exe 93 PID 3684 wrote to memory of 1568 3684 cmd.exe 93 PID 3684 wrote to memory of 764 3684 cmd.exe 94 PID 3684 wrote to memory of 764 3684 cmd.exe 94 PID 3684 wrote to memory of 764 3684 cmd.exe 94 PID 3684 wrote to memory of 1912 3684 cmd.exe 95 PID 3684 wrote to memory of 1912 3684 cmd.exe 95 PID 3684 wrote to memory of 1912 3684 cmd.exe 95 PID 1912 wrote to memory of 3964 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 96 PID 1912 wrote to memory of 3964 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 96 PID 1912 wrote to memory of 408 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 97 PID 1912 wrote to memory of 408 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 97 PID 1912 wrote to memory of 408 1912 4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe 97 PID 408 wrote to memory of 1148 408 BtlhzpOVFhG.exe 98 PID 408 wrote to memory of 1148 408 BtlhzpOVFhG.exe 98 PID 408 wrote to memory of 4440 408 BtlhzpOVFhG.exe 99 PID 408 wrote to memory of 4440 408 BtlhzpOVFhG.exe 99 PID 408 wrote to memory of 4440 408 BtlhzpOVFhG.exe 99 PID 408 wrote to memory of 2588 408 BtlhzpOVFhG.exe 100 PID 408 wrote to memory of 2588 408 BtlhzpOVFhG.exe 100 PID 408 wrote to memory of 2588 408 BtlhzpOVFhG.exe 100 PID 408 wrote to memory of 4596 408 BtlhzpOVFhG.exe 101 PID 408 wrote to memory of 4596 408 BtlhzpOVFhG.exe 101 PID 408 wrote to memory of 4596 408 BtlhzpOVFhG.exe 101 PID 408 wrote to memory of 4892 408 BtlhzpOVFhG.exe 102 PID 408 wrote to memory of 4892 408 BtlhzpOVFhG.exe 102 PID 408 wrote to memory of 4892 408 BtlhzpOVFhG.exe 102 PID 408 wrote to memory of 5100 408 BtlhzpOVFhG.exe 103 PID 408 wrote to memory of 5100 408 BtlhzpOVFhG.exe 103 PID 408 wrote to memory of 5100 408 BtlhzpOVFhG.exe 103 PID 408 wrote to memory of 4084 408 BtlhzpOVFhG.exe 104 PID 408 wrote to memory of 4084 408 BtlhzpOVFhG.exe 104 PID 408 wrote to memory of 4084 408 BtlhzpOVFhG.exe 104 PID 408 wrote to memory of 1544 408 BtlhzpOVFhG.exe 105 PID 408 wrote to memory of 1544 408 BtlhzpOVFhG.exe 105 PID 408 wrote to memory of 1544 408 BtlhzpOVFhG.exe 105 PID 408 wrote to memory of 1336 408 BtlhzpOVFhG.exe 106 PID 408 wrote to memory of 1336 408 BtlhzpOVFhG.exe 106 PID 408 wrote to memory of 1336 408 BtlhzpOVFhG.exe 106 PID 408 wrote to memory of 1364 408 BtlhzpOVFhG.exe 107 PID 408 wrote to memory of 1364 408 BtlhzpOVFhG.exe 107 PID 408 wrote to memory of 1364 408 BtlhzpOVFhG.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito2⤵PID:4144
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 4 & Del /F /Q "C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe" & choice /C Y /N /D Y /T 2 & Move /Y "C:\Users\Admin\AppData\Local\Temp\tmpE3E8.tmp" "C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe" & Start "" /D "C:\Users\Admin\AppData\Local\Temp" "4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 43⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 23⤵
- System Location Discovery: System Language Discovery
PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito4⤵PID:3964
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\host\Btlh\BtlhzpOVFhG.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Network\host\\Btlh\BtlhzpOVFhG.exe" MAIN_EXE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window --start-in-incognito5⤵PID:1148
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set heuristics disabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4440
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global autotuninglevel=normal5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global congestionprovider=ctcp5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4596
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global ecncapability=default5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global rss=enabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global chimney=disabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global dca=enabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global timestamps=disabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:1336
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" int tcp set global rsc=enabled5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1364
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4400ba385c37b8c0ec3c63463794c2a335fe8823a0a43a910ae6400337371217.exe.log
Filesize1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
36.2MB
MD5e6bc7ea5d65ac4164764461138dae6f6
SHA1bfa7c7e4b8d962206012a168bd83e7f5fd5784f5
SHA25634cd7628b947c3dabbf76ce8e47fe72217d6b2210304a6e1f000bddbcd3e13d9
SHA5127d98f84d407050158ba4705cab7443b1b90894b18e571926404b95646eca8a69f881d9487afbbded78f9cedb18a07e2ecf0a9de2e838762a7112d3d105db337f
-
Filesize
22.2MB
MD5069114a0b88feb59473387cec3fc4d9a
SHA1ca7c7b73a9c329399715add956847f092ffea68e
SHA2569a506bdd18ab1e26e8f9d0d1d95a0d83984ebcf8c915ac8a962f579f724a53ac
SHA512c9de619ca7f8037e75de9ea9a3fdc562357197bc418ff40cd7c50295008d77e2e7c7c980141903b796cf5a99c1c5fb1feec5b5532635f5f3a5919f0511881d2d